Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2016-07-01 03:46:18
- my_fair_cats_sick
- Contributor
- Registered: 2016-03-15
- Posts: 81
Mifare Plus Card - Dual Keyset? SL0 and SL1 info
I have acquired a reader and a set of software which can write Mifare Plus cards with AES keys. This takes the card from SL0 to SL1.
I have put my own custom keys on a card, and wanted to try the hardnested attack. Now realizing the hardnested is only against the legacy side of the card (12 byte keys for CRYPTO1) I realized I never set those, so they should be default. What is interesting is that hardnested cannot seem to authenticate to the card, but the simple libfreefare tools can dump and re-write the SL1 card no problem, but cannot do anything with the SL0 card.
Does anyone have any idea what I am missing here or can offer some explanation? To help, here is a dump of the card factory fresh SL0, and SL1 reads:
SL0:
proxmark3> hf 14a reader
UID : 04 48 22 b2 d0 32 80
ATQA : 00 44
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : c1 05 2f 2f 00 35 c7 -> MIFARE Plus S 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x0 -> Only VCSL supported
Answers to chinese magic backdoor commands: NO SL1:
proxmark3> hf 14a reader
UID : 04 48 22 b2 d0 32 80
ATQA : 00 44
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
MANUFACTURER : NXP Semiconductors Germany
SAK incorrectly claims that card doesn't support RATS
ATS : 0c 75 77 80 02 c1 05 2f 2f 00 35 c7 60 d3
- TL : length is 12 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : c1 05 2f 2f 00 35 c7 -> MIFARE Plus S 2K or 4K
c1 -> Mifare or (multiple) virtual cards of various type
05 -> Length is 5 bytes
2x -> MIFARE Plus
2x -> Released
x0 -> Only VCSL supported
Answers to chinese magic backdoor commands: NOOffline
#2 2016-07-01 06:50:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,502
- Website
Re: Mifare Plus Card - Dual Keyset? SL0 and SL1 info
Interesting, the only thing that changed was the SAK, from 0x20 -> 0x08
Offline
#3 2016-07-04 13:56:33
- osys
- Contributor
- From: Nearby
- Registered: 2016-03-28
- Posts: 62
Re: Mifare Plus Card - Dual Keyset? SL0 and SL1 info
Indeed, interesting why SL0 is treated as mandatory encryption card... hm...
Offline